Botan versions before 3.12.0 contain a vulnerability (CWE-407) where the parser exhibits quadratic time complexity when processing specific indefinite length encodings in BER data. This inefficiency can be exploited to cause a denial of service by consuming excessive processing resources. The root cause is that Botan accepts indefinite length encodings in data structures that are required to be encoded as DER, which forbids such encodings. The issue is resolved in version 3.12.0 of Botan.

An attacker can cause a denial of service by supplying specially crafted BER encoded data that triggers quadratic parsing behavior in Botan versions prior to 3.12.0. This leads to excessive CPU consumption and potential service disruption. There is no indication of privilege escalation, data disclosure, or code execution from this vulnerability.

This vulnerability is fixed in Botan version 3.12.0. Users should upgrade to version 3.12.0 or later to remediate this issue. Patch status is not explicitly confirmed beyond the version fix note, so verify with the vendor advisory for the latest remediation guidance.